[erlang-questions] Malformed countryName in x509 certs + public_key
Andy Bailey
andy.bailey@REDACTED
Mon Jun 2 23:28:44 CEST 2014
Hi All,
I'm working on an Erlang project that entails controlling some
devices that expose a SOAP api. The device manufacturer made a
mistake and shipped the devices with a cert where the countryName
field in the cert subject is three characters long.
Even with verification disabled via ssl options, we get a crash while
parsing the cert (this stack with with R15B01 but I get the
same results with 17)
{{{badmatch,{error,{asn1,{length,2,<<"USA">>}}}},
[{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,215}]},
{public_key,validate,2,[{file,"public_key.erl"},{line,630}]},
{public_key,path_validation,2,[{file,"public_key.erl"},{line,591}]},
{ssl_handshake,certify,7,[{file,"ssl_handshake.erl"},{line,218}]},
{ssl_connection,certify,2,[{file,"ssl_connection.erl"},{line,514}]},
{ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,1929}]},{gen_fsm,handle_msg,7...
So presumably the cert runs afoul before the normal verification
steps, and disabling verification doesn't help.
Normally it wouldn't be a big deal to replace these certs, but there
are a bunch of them and the process entails an interruption of
service on the device, so I'm hoping to find a workaround.
One option would be to modify public_key to accept the three byte
value until we can get the certs rotated- I've experimented with
modiying PKIX1Explicit88.asn1 and recompiling with asn1ct, but I am
totally clueless in this area and suspect I may be on a fools errand :)
Anyhow- my purpose in mailing the list was to see if any other erlang
users have run into a similar predicament, and to see if you found a
good strategy for working around it.
Thanks in advance!
.andy
More information about the erlang-questions
mailing list